Title

Author

Defense Date

2008

Document Type

Dissertation

Degree Name

Doctor of Philosophy

Department

Information Systems

First Advisor

Dr. Gurpreet Dhillon

Abstract

This thesis argues that organizational power impacts the development and implementation of Information Systems (IS) Security policy. The motivation for this research stems from the continuing concern of ineffective security in organizations, leading to significant monetary losses. IS researchers have contended that ineffective IS Security policy is a precursor to ineffective IS Security (Loch et al. 1992; Whitman et al. 2001; David 2002; Solms and Solms 2004). Beyond this pragmatic aspect, there is a gap in the literature concerning power relationships and IS Security policy. This research intends to bridge the gap. The dissertation is a two phased study whereby the first phase seeks to understand the intricacies of IS Security policy formulation and implementation. In the first phase, a conceptual framework utilizes Katz's (1970) semantic theory. The conceptual framework provides the theoretical foundation for a case study that takes place at an educational institution's Information Technology (IT) Department. In the results, it is confirmed that a disconnect exists between IS Security policy formulation and implementation. Furthermore, a significant emergent finding indicates that power relationships have a direct impact on this observed disconnect. The second phase takes place as an in depth case study at the IT department within a large financial organization. The theoretical foundation for the second phase is based was Clegg's (2002) Circuits of Power. A conceptual framework for this phase utilizes this theory. This framework guides the study of power relationships and how they might affect the formulation and implementation of IS Security policy in this organization. The case study demonstrates that power relationships have a clear impact on the formulation and implementation of IS security policy. Though there is a strong security culture at the organization and a well defined set of processes, an improvement in the process and ensuing security culture is possible by accounting for the effect of power relationships.